Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1200s
  • max time network
    1203s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14/08/2024, 00:48

General

  • Target

    UPDATE-HSYEYDBB.html.lnk

  • Size

    1KB

  • MD5

    ae64124a57d7f5de780f85b7456d90a2

  • SHA1

    ab9a153c0da841ed0cbdd70664a48ba0959eb8a9

  • SHA256

    119f0a88b3366805f6a592742b7ced190010eb98c81f32e251bd42d968b68471

  • SHA512

    0e9ad80748d97e55708bf4939bbe0179d558d643679065c101fa52f861e4d4527cc7bd86795388892f5fd466d2ac959e11f0b89f3c84c673a86d3a62e35ae910

Malware Config

Extracted

Family

latrodectus

C2

https://mazdakrichest.com/live/

https://riverhasus.com/live/

Signatures

  • Latrodectus loader

    Latrodectus is a loader written in C++.

  • Detect larodectus Loader variant 1 3 IoCs
  • Blocklisted process makes network request 64 IoCs
  • Loads dropped DLL 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\UPDATE-HSYEYDBB.html.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" version1.dll, scab
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_fbe146ab.dll", scab
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:4448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Custom_update\Update_fbe146ab.dll

    Filesize

    1.4MB

    MD5

    f834dfc1861cd6361f34496c3bbafe66

    SHA1

    a983e82d009901310c8a3255c4b4e3a02d556fa7

    SHA256

    e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7

    SHA512

    088a6170c948ddb2c2b0cf2431ae61688201ef5bc3f1af217a58bf18b26dd9e0ab7ee082f822e736d0467f62e33bf71b806127eb998bed8e739c1e441ac05e00

  • memory/3320-0-0x00000229FE770000-0x00000229FE774000-memory.dmp

    Filesize

    16KB

  • memory/3320-1-0x00000229FE780000-0x00000229FE793000-memory.dmp

    Filesize

    76KB

  • memory/3320-7-0x0000000180000000-0x000000018016F000-memory.dmp

    Filesize

    1.4MB

  • memory/4448-11-0x000001577F2B0000-0x000001577F2C3000-memory.dmp

    Filesize

    76KB

  • memory/4448-16-0x000001577F2B0000-0x000001577F2C3000-memory.dmp

    Filesize

    76KB